The Latest on CDK Global Cybersecurity
Risks Come into Focus after Lurking in the Shadows
As frequent auto conference attendees and sponsors, we discuss trends in the industry with other service providers. In an increasingly digital world, we’ve noted an increase in service providers catering to cybersecurity in a variety of ways. While no dealer gets excited about spending thousands of dollars to mitigate risks rather than grow profits, the CDK Global cyberattack may be a watershed moment for the industry.
Background
On Wednesday, June 19, 2024, CDK Global informed its dealership clients that a “cyber incident” had occurred, and it was shutting down all systems to keep customer information safe, an outage it indicated on Thursday afternoon would last for several days. The cyberattack effectively shut down its dealership management systems (“DMS”), impacting nearly 15,000 stores, representing more than half of all auto dealers in the country.
This core operating system generates the monthly financial statements sent to the OEMs, which are a principal input into the valuation process. But beyond analyzing historical financial information, the DMS is critical to the day-to-day operations of dealerships, and there is significant uncertainty about when systems will come back online. This led dealers to revert to manual processes to facilitate operations, raising costs and stunting sales opportunities. The impact on core operating activities is hard to overstate.
A hacker group from Eastern Europe has claimed to have hacked CDK Global and reportedly is demanding tens of millions of dollars in ransom. CDK briefly restored some services for a few hours on June 19, but a second attack caused it to deactivate. Reports late last week indicated that CDK was expected to pay the ransom, though more recent reporting indicated a resolution was not expected until after quarter-end (on Sunday).
In a discussion with AutoNews, CEO Brian MacDonald defended their cyberattack response. It can be difficult to thread the needle of reassuring customers while also not committing to exactly when the company can restore normal operations, as the hackers could then hold them hostage and demand higher ransom in order to fulfill those promises. As of Friday afternoon, it is still uncertain when all dealers will be fully operational, but CDK indicated it would not be by June 30 for many of its dealers. As a positive sign, a second small group of dealers including publicly traded Group 1 Automotive has been restored.
Why Auto Dealers?
The industry is ubiquitous, processes sensitive information, and has numerous potential entry points for bad actors. The industry’s sheer size also means there is a large ransom opportunity for hackers. While this is certainly the most widespread and publicized attack in the history of the industry, it is not the only one in the industry this year. As highlighted by Car Dealership Guy, whose Twitter account/media network has been covering the situation in live time:
- “This January, two attacks, one targeting Hyundai’s Europe division the other Asbury Automotive Group in the U.S., resulted in terabytes of stolen data and loss of revenue due to systems being rendered inoperable by ransomware.”
- “Manufacturing vendors such as CIE Automotive and Jasman have also faced breaches over the last year. Some incidents have been linked to the same criminal organizations, such as Cactus, which was responsible for the attacks against CIE and Asbury.”
- “CDK’s attack also comes hot on the heels of Findlay Automotive Group’s breach last week, which has already brought on a lawsuit accusing the company of negligence.”
While the auto industry is not a stranger to these attacks, it is worth noting that cybercrime has been increasing, with news stories of large ransoms paid by companies in a variety of industries, notably those with significant access to sensitive consumer information, including healthcare. In 2023 alone, more than 2,200 entities were directly impacted by ransomware, including U.S. hospitals, schools, and governments, according to a CBS news article citing Emisoft, an anti-malware software company.
Publicly traded auto dealers, including Sonic, Lithia, and AutoNation, disclosed that the incident had disrupted operations but that manual processes were being utilized to facilitate operations. The incident, as expected, has negatively impacted the stock prices of dealers. In April 2022, Brookfield Business Partners took CDK private in a transaction totaling $6.4 billion. CDK was the last publicly traded DMS provider at the time.
What’s Next?
Companies in all industries have increasingly adopted enterprise software, which can work best when fully integrated. Unfortunately, the cost of this interconnectivity can cause cybersecurity issues to spread more rapidly. As Geoffrey Pohanka, chairman of Pohanka Automotive Group, told the Wall Street Journal, “They’re a very integrated company; it’s better for us to deal with one vendor than two dozen small vendors.” This thinking may change where risk mitigation supersedes operational efficiency.
It’s unclear how this will unfold, but dealers will at the least be much more aware and concerned about cybersecurity and will be considering their options to reduce this risk. It is not unreasonable to suggest that dealers would consider other DMS providers after there has been significant consolidation in this industry for years. For what it’s worth, CDK’s primary competitors are saying and doing all the right things:
“This shouldn’t happen to anyone. Doesn’t matter if it is a competitor or not”
–Jay Vijayan, founder, and CEO of Tekion.
“Right now, our industry is under attack. CDK was reportedly a target, but the impact of this goes far beyond CDK — it is hurting a lot of dealers and consumers as we enter the peak of summer. We all need to find ways to help. We are looking at what we can do, and most importantly, what we can do quickly. Standing up a DMS overnight is not feasible, but printing and shipping paper repair orders and buyer’s orders same day is. So we are ramping up production in our printing facility.”
–Chris Walsh, President of Reynolds and Reynolds
Conclusion
At Mercer Capital, we perform valuations of auto dealerships for owners and advisors all around the country for a variety of purposes. Additionally, we follow the auto industry closely to stay current with market trends in dynamic times such as these.